Data retention directive hearing today

Today was the last chance to give comments to the EU Data Retention Directive implementation into Norwegian law. The Norwegian Data Protection Agency has, like all privacy protection agencies and ombudsman in Europe, voiced serious concerns about the increased logging and longer storage time for traffic data. The proposal is the retain data for one year, the same as the other Nordic countries.

The Ombudsman for Children in Norway states that privacy is important for children, and the intention of preventing sexual crimes is not a valid excuse for violating privacy, especially in a situation where the police does not take seriously the digital evidence they have access to today. Several politicians and institutions have voiced the opinion that preventing one sexual crime is valid reason to store information about us all, and to dispense with the probable cause and charging specific persons before getting access to traffic patterns.

My own union, Tekna, decided to come out in favor of the Data Retention Directive, even if their members are strongly divided on the issue, with the most of the IT industry strongly against the proposed implementation. I should not talk about the embarrassing use of surveillance that happened during the cold war, it probably suffices to say that unions are normally not in favor of extended surveillance (with the exception of the largest one who kept an eye on the commies when needed).

My employer is not party to the regulations set out, since Uninett is a closed network for education and research, and is not open to the general public. The Directive applies to public networks, including all public ISPs, phone and mobile suppliers. These are in the current proposed national implementation required to cover their own cost for storing information, whereas the information access will be paid for by the relevant authority accessing the information.

It has been pointed out that 30% of international phone calls are based on Skype, which is not party to the Data Retention Directive. Even if one would want to store the information for the time period indicated in the Directive, the requirements seems to be technologically outdated, and growing more outdated by the day. Information about email traffic should be logged for a year (6-24 months is the Directive requirement), but for example Gmail and Yahoo are outside the regulations.

On the other hand, The Norwegian Police Security Service (PST) promises more terror in Norway if we do not implement the Data Retention Directive ASAP. We have not implemented it yet, and the number of terrorist acts have been significantly lower than in the UK or France where the directive is implemented. That is probably irrelevant facts, when seen from the police side.

To be fair with the politicians, it is rather difficult to say no the the EU directives given the current state of the EEZ (EØS) treaty. Sometimes difficult things need doing.